ST STM32U585 Series User Manual
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Microcontrollers
  5. STM32U585 Series
  6. User manual

ST STM32U585 Series User Manual

Hide thumbs Also See for STM32U585 Series:
Table of Contents

Advertisement

Quick Links

UM2852
User manual
STM32U585xx security guidance for PSA Certified™ Level 3 with SESIP Profile
Introduction
This document describes how to prepare STM32U585xx microcontrollers to make a secure system solution compliant with
SESIP Profile for PSA Level 3 using the STM32Cube_FW_U585_Security_certification_V1.0.0 software package included in the
STM32CubeU5
MCU Package.
The
B-U585I-IOT02A
board integrating the
STM32U585AI
microcontroller is used as the hardware vehicle to implement and test
a non‑secure application using secure services but it does not bring any additional security mechanism.
The security guidance described in this document applies to any boards based on STM32U585xx microcontrollers.
UM2852 - Rev 1 - June 2021
www.st.com
For further information contact your local STMicroelectronics sales office.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the STM32U585 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ST STM32U585 Series

Summary of Contents for ST STM32U585 Series

  • Page 1 The security guidance described in this document applies to any boards based on STM32U585xx microcontrollers. UM2852 - Rev 1 - June 2021 www.st.com For further information contact your local STMicroelectronics sales office.

  • Page 2: General Information

    UM2852 General information General information ® STM32CubeU5 TFM application runs on STM32U585xx 32-bit microcontrollers based on the Arm ‑M processor. ® Cortex Note: ® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. UM2852 - Rev 1 page 2/27...
  • Page 3 UM2852 General information The following table presents the definition of acronyms that are relevant for a better understanding of this document. Table 1. List of acronyms Acronym Description AEAD Authenticated encryption with associated data Command‑line interface Entity attestation token Graphic user interface Secure hide protection Hardware unique key Hardware...

  • Page 4: Reference Documents

    UM2852 Reference documents Reference documents Name Title/description RM0456 Reference manual STM32U575/585 Arm®-based 32-bit MCUs (RM0456) – Revision 1 AN4992 Application note STM32 MCUs secure firmware install (SFI) overview (AN4992) – Revision 10 UM2237 User manual STM32CubeProgrammer software description (UM2237) – Revision 15 ‑...

  • Page 5: Preparative Procedures

    The TOE is distributed as an MCU with a source code package. The integrator receives the MCU directly from ST via a secure courier. To ensure that MCU is not manipulated during TOE delivery, the integrator must verify that the user Flash is virgin (reading 0xFF everywhere with STM32CubeProgrammer) or must do an RDP regression (Level 1 ->...

  • Page 6: Secure Installation And Secure Preparation Of The Operational Environment (Agd_Pre.1.2C)

    USB cable. This connection with the PC allows the user: • Flashing the board • Interacting with the board via a UART console • Debugging when the protections are disabled The ST-LINK firmware programmed on the development board must be the V3J8M3 version. UM2852 - Rev 1 page 6/27...

  • Page 7: Software Setup

    UM2852 Secure installation 3.2.2 Software setup This section lists the minimum requirements for the developer to set up the SDK on ® a Windows 10 host, run the sample scenario and customize applications delivered in STM32Cube_FW_U585_Security_certification_V1.0.0 software package. STM32Cube_FW_U585_Security_certification_V1.0.0 software package ®...
  • Page 8 UM2852 Secure installation The certified configuration is the following: • RDP level 2 with password capability • Two firmware images • Two slots per firmware image • Image upgrade in overwrite mode • Hardware‑accelerated cryptography enabled • RSA 2048 asymmetric crypto scheme •...

  • Page 9: Operational User Guidance

    UM2852 Operational user guidance Operational user guidance User roles The following user roles are distinguished for this TOE: • Integrator The integrator is the one to receive the TOE, perform the preparative procedures as described in Section 3 Preparative procedures, and integrate the TOE into a full IoT solution. The user operational guidance is described in Section 4.2 Operational guidance for the integrator role.
  • Page 10 UM2852 Operational guidance for the integrator role RDP Level The TOE is certified in RDP level 2 with an OEM2 password. The OEM2 password gives the flexibility in a first step to perform RDP regression from level 2 to level 1, then to perform RDP regression from level 1 to level 0 (provoking a Flash memory mass erasure) in a second step.
  • Page 11 UM2852 Operational guidance for the integrator role Image upgrade strategy The TOE is certified in overwrite mode as an image upgrade strategy (Image upgrade strategy is applicable only in the case of primary and secondary slots mode). In this configuration, the new image in a secondary slot is copied into the primary slot by overwriting the previous image, during the firmware upgrade process.
  • Page 12 UM2852 Operational guidance for the integrator role Image encryption The TOE is certified with image encryption capability enabled and with the use of encrypted firmware images. In a configuration with image encrypted capability enabled, the firmware image can be provided either in clear format or in AES‑CTR‑128 encrypted format.
  • Page 13 UM2852 Operational guidance for the integrator role TOE specific information personalization The integrator has also the privilege and responsibility of configuring cryptographic keys used by the TOE to authenticate Secure Image and non-secure image and of configuring information (cryptographic keys and instance ID) used by the TOE to compute the token value for the platform attestation.

  • Page 14: Available Interfaces And Methods Of Use (Agd_Ope.1.2C And Agd_Ope.1.3C)

    UM2852 Operational guidance for the integrator role External memories use The integrator can also choose to use external Flash or SRAM memories for its non-secure application. To use the certified configuration, it is not allowed to use external memories for non-secure applications. TOE functions changes Finally, the integrator can choose to modify functions implemented in software in the TOE (such as replacing some cryptographic functionality with a different implementation or such as removing some functions of the TOE...
  • Page 15 UM2852 Operational guidance for the integrator role Method of use: • Power-on the system as defined in RM0456. • Reset the STM32U585xx as defined in RM0456. • “Running” non‑secure application generates a reset (ArmV8 reset instruction or operation). Parameters: • Not applicable Actions: •...
  • Page 16 UM2852 Operational guidance for the integrator role Method of use: • The secure image secondary slot region is located at address FLASH_AREA_2_OFFSET (defined in TFM\ Linker\flash_layout.h file), as described in Figure 3. To use the secure image secondary slot, data must be written in the correct image format in the secure Image secondary slot area and the Magic 16 bytes must be written in the slot area end location as described in Figure...
  • Page 17 UM2852 Operational guidance for the integrator role Parameters: • The candidate image is written in the secure image secondary slot. Actions: • At each product reset TOE (TFM_SBSFU_Boot application) checks if a new image is pre-loaded by a non‑secure application or the standalone external loader application in the secure image secondary slot. The new secure image must be programmed at the beginning of the secure Image secondary slot and must comply with the image format (image header, image payload, and image TLV) as defined by the TF M_SBSFU_Boot application.
  • Page 18 UM2852 Operational guidance for the integrator role ‑ secure image primary slot in the case of the following errors: The candidate image is not installed in the non • Version dependency failure: The version of the non‑secure image is non‑consistent with the version of the secure image.
  • Page 19 UM2852 Operational guidance for the integrator role Actions: Errors: JTAG interface Standard JTAG with SWD interface allows debugging of the TOE and integrator application. It is used according IEE1149 and ADI5. When RDP is Level 2 and OEM2 password is provisioned, all debug features are disabled. JTAG/SWD remains enabled under reset only to inject OEM2 password to request RDP regression to level 1.

  • Page 20: Security-Relevant Events (Agd_Ope.1.4C)

    UM2852 Operational guidance for the integrator role Method of use: • Reset the STM32U585xx as defined in RM0456. • Set the GPIO port C pin 13 (Press the user button on the B-U585I-IOT02A development board) when the TFM_SBSFU_Boot application is starting to execute. Parameters: •...

  • Page 21: Security Measures (Agd_Ope.1.6C)

    UM2852 Operational guidance for the integrator role • STM32U585xx option bytes values violation: in case STM32U585xx option bytes values are not correctly configured to ensure the TOE security, the TOE secure boot procedure after reset detects the problem and blocks the TOE secure boot procedure execution: Reset is generated, except for the case of RDP option bytes value for which infinite loop is executed in the secure domain.

  • Page 22: Modes Of Operation (Agd_Ope.1.5C)

    UM2852 Operational guidance for the integrator role • The integrator must protect the integrity of the immutable part of the TOE (TFM_SBSFU_Boot application) until it is programmed and well protected inside the TOE of each device. • The persons responsible for the application of the procedures described in Section 3 Preparative procedures, and the persons involved in the delivery and protection of the product must have the required skills and must be aware of the security issues.

  • Page 23: Revision History

    UM2852 Revision history Table 2. Document revision history Date Revision Changes 30-Jun-2021 Initial release. UM2852 - Rev 1 page 23/27...

  • Page 24: Table Of Contents

    UM2852 Contents Contents General information ............. . . 2 Reference documents .

  • Page 25: List Of Tables

    UM2852 List of tables List of tables Table 1. List of acronyms ..............3 Table 2.

  • Page 26: List Of Figures

    UM2852 List of figures List of figures Figure 1. Flash memory layout for certified configuration ..........8 Figure 2.
  • Page 27 ST’s terms and conditions of sale in place at the time of order acknowledgement. Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of Purchasers’...

Table of Contents

Save PDF